Mailinglist Archive: opensuse-security (407 mails)

< Previous Next >
Re: [suse-security] SuSEfirewall2 vs. DHCP
Erwin Lam <erwin.lam@xxxxxxx> writes:

On Mon, 1 Apr 2002, Alan Hadsell wrote:

AH> My problem: When the DHCP lease times out, the firewall box can't
AH> acquire a new one. It appears that the firewall's anti-spoofing rules
AH> are blocking the DHCP server's reply. At the time when this happens,
AH> I get numerous SuSE-FW-DROP-ANTI-SPOOFING messages with source port =
AH> 67 and destination port = 68. At this point, I lose all Internet
AH> connectivity until I reboot the firewall box.
AH>
AH> My configuration includes FW_SERVICE_DHCLIENT="yes".

You also need to set

FW_SERVICES_EXT_UDP="bootpc"

This should be equivalent to FW_SERVICES_EXT_UDP="68", right? OK,
I'll try that. I guess I don't understand why it's necessary, though.
The script says:

,----[ from SuSEfirewall2 ]
| test "$FW_SERVICE_DHCLIENT" = yes && {
| $LAA $IPTABLES -A INPUT -j LOG ${LOG}"-ACCEPT " -p udp --sport 67 -d
255.255.255.255/32 --dport 68
| $IPTABLES -A INPUT -j "$ACCEPT" -m state --state ESTABLISHED -p udp
--sport 67 -d 255.255.255.255/32 --dport 68
| }
`----

...which seems to imply that any such packet would be accepted, and
not hit the anti-spoofing rules (which are applied later). Or is it
tripping over the "--state ESTABLISHED"?

I also don't understand this: if this is an issue of not ACCEPTing the
message, why don't I get UNALLOWED-TARGET messages, rather than
ANTI-SPOOFING messages (in other words, I don't understand why it has
decided this is a spoofed messaged rather than just one directed to a
closed port).

--
Alan Hadsell
"Whatever does not kill me makes me stranger".


< Previous Next >
Follow Ups
References